Infility Global < 2.15.19 – Subscriber+ SQL Injection via order Parameter | CVE 2026-8163

Description

The plugin does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.

Proof of Concept

## Prerequisites

- A user account at Subscriber level or higher (no plugin configuration is required: the affected admin page is reachable on a default install).
- Plugin Infility Global activated. The vulnerability is present up to and including v2.15.16, the last version published before the plugin was closed on WordPress.org without a fix.

## Steps

1. Log in to WordPress as the Subscriber user and capture the `wordpress_logged_in_*` cookie.
2. Send the following authenticated GET request, replacing `<SITE>` and the cookie with values from the session:

```
curl -s -k -b "wordpress_logged_in_<hash>=<value>" \
  "https://<SITE>/wp-admin/admin.php?page=control-data&orderby=post_id&order=desc%2c(select*from(select(sleep(5)))a)" \
  -o /dev/null -w "time=%{time_total}s\n"
```

3. The response is delayed by ~5 seconds, confirming time-based SQL injection. A baseline request with `order=desc` returns in well under a second, which makes the delay easy to attribute to the injected `SLEEP()`.

The decoded payload `desc,(select*from(select(sleep(5)))a)` is appended verbatim to an `ORDER BY ID ...` clause and executed via `$wpdb->get_results()` without prepared statements, so a UNION-based payload could be substituted to extract arbitrary database contents.